Skip to content

fix: additional defensive checks in Groth16 (#629) #163

fix: additional defensive checks in Groth16 (#629)

fix: additional defensive checks in Groth16 (#629) #163

# SPDX-License-Identifier: Apache-2.0
name: "Publish Snapshot Release"
on:
push:
branches:
- main
workflow_dispatch:
defaults:
run:
shell: bash
permissions:
contents: read
env:
REGISTRY: ghcr.io
LC_ALL: C.UTF-8
GRADLE_CACHE_USERNAME: ${{ secrets.GRADLE_CACHE_USERNAME }}
GRADLE_CACHE_PASSWORD: ${{ secrets.GRADLE_CACHE_PASSWORD }}
GRADLE_VERSION: wrapper
JAVA_DISTRIBUTION: temurin
JAVA_VERSION: 25.0.2
jobs:
publish-maven-central:
name: Publish Maven Central
runs-on: hl-crypto-lin-md
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
- name: Setup Java
uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
- name: Setup Gradle
uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
with:
gradle-version: ${{ env.GRADLE_VERSION }}
- name: Install GnuPG Tools
run: |
if ! command -v gpg2 >/dev/null 2>&1; then
echo "::group::Updating APT Repository Indices"
sudo apt update
echo "::endgroup::"
echo "::group::Installing GnuPG Tools"
sudo apt install -y gnupg2
echo "::endgroup::"
fi
- name: Import GPG key
id: gpg_key
uses: step-security/ghaction-import-gpg@69c854a83c7f79463f8bdf46772ab09826c560cd # v.6.3.1
with:
gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }}
passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}
git_config_global: true
git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: false
# This step updates the version number to a snapshot in version.txt when publishing a snapshot release.
- name: Add SNAPSHOT Suffix to Current Version
run: ./gradlew versionAsSnapshot
# Technically, this step is not required but is executed to provide the end users with a summary of the version
# numbers assigned to each published artifact.
- name: Version Report
run: ./gradlew githubVersionSummary
# Technically, this step is not required because the release steps will build what is required; however,
# if one or more components fails to build then it could result in a partial publish to Maven Central.
# The inclusion of this step ensures the job fails cleanly without publishing to Maven Central if any of the
# components fail to build.
- name: Gradle Assemble
run: ./gradlew assemble
# The steps below publish the artifacts to the Maven Central Nexus repository.
- name: Gradle Publish to Maven Central
env:
NEXUS_USERNAME: ${{ secrets.CENTRAL_PUBLISHING_USERNAME }}
NEXUS_PASSWORD: ${{ secrets.CENTRAL_PUBLISHING_PASSWORD }}
run: ./gradlew publishAggregationToCentralPortal -PpublishSigningEnabled=true